Summary

Security Advisory ID : BSA-2019-767

Component : LIBSSH2

Revision : 1.0: Final

libssh2 is a client-side C library implementing the SSH2 protocol.  It supports regular terminal, SCP and SFTP sessions; port forwarding, X11 forwarding; password, key-based and keyboard-interactive authentication. Libssh2 releases security update for nine vulenrabilities on March 18, 2019.

CVE-2019-3855: Possible integer overflow in transport read that could lead to an out-of-bounds write. A malicious server, or a remote attacker who compromises an SSH server, could send a specially crafted packet which could result in executing malicious code on the client system when a user connects to the server.

CVE-2019-3856: Possible integer overflow in keyboard interactive handling allows out-of-bounds write. A malicious or a compromised SSH server can exploit client system by sending a value approaching unsigned int max number of keyboard prompt requests.

CVE-2019-3857: Possible integer overflow issue leads to zero-byte allocation and out-of-bounds write. A malicious server could send an SSH_MSG_CHANNEL_REQUEST packet with an exit signal message with a length of max unsigned integer value.

CVE-2019-3858: Possible zero-byte allocation leading to an out-of-bounds. Attacking server can send a specially crafted partial SFTP packet with a zero value for the payload length, allowing attackers to cause a Denial of Service or read data in the client memory.

CVE-2019-3859: Out-of-bounds reads with specially crafted payloads due to unchecked use of "_libssh2_packet_require and _libssh2_packet_requirev." A server could send a specially crafted partial packet in response to various commands such as: sha1 and sha226 key exchange, user auth list, user auth password response, allowing attackers to cause a Denial of Service or read data in the client memory.

CVE-2019-3860: Out-of-bounds reads with specially crafted SFTP packets that also lead to Denial of Service or read data in the client memory attacks.

CVE-2019-3861: Out-of-bounds reads with specially crafted SSH packets that occurs when the padding length value is greater than the packet length, resulting in the parsing of the corrupted packet.

CVE-2019-3862: An out of bounds read issue occurs when the server sends specially crafted SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload, resulting in Denial of Service or read data in the client memory.

CVE-2019-3863: Integer overflow in the user authenticated keyboard interactive allows out-of-bounds writes.

More information about these vulnerabilities can be found at: https://www.libssh2.org/security.html

Products Confirmed Not Vulnerable
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities. 

Revision History